disabled indexes in .htaccess. On 5/3/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Tue, May 2, 2006 8:12 pm, kristianto adi widiatmoko wrote: > how to secure folder upload file since the privilege of this folder is > 777 > > is any method to create a secure upload file ?? There is no such thing as "total security" Here are things you can do to improve security: 1. chown the directory to the user PHP runs as, and make it be 755 or even 700. 2. If #1 is impossible, because you are not root, you could: 2A. chmod the folder ABOVE your upload directory to 777 TEMPORARILY. 2B. Use PHP script to mkdir() and chmod() new directory inside 2A. 2C. chmod the folder ABOVE your upload directory back to 755 You now have a PHP-user owned directory you can work with, in PHP scripts, to make more directories, upload files, etc. 3. *MOVE* your upload directory *OUTSIDE* your web-tree, so that arbitrary files uploaded are simply not something a Bad Guy can surf to. 3A. Now you have to write a bunch of PHP scripts to manage/view those files. Tough. 3B. The scripts you write in 3A can also make all kinds of "sanity checks" on the files. 3B1. Are the files in your database listing of known files that belong there? 3B2. Are the files of the right format? E.G. .jpg files should return reasonable values for http://php.net/getimagesize REQUIRED READING: http://phpsec.org If you write one more line of code without reading the above URL, we will have no sympathy for you when, when, not if, when your server is trashed. Sorry. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- Anthony Ettinger Signature: http://chovy.dyndns.org/hcard.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
